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© Information processing apparatus with replaceable security element. 
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© A field upgradeable security system deciphers 
signals received from a communication network. An 
information processor (10) includes a receptacle for 
receiving a replaceable security element (12). The 
replaceable security element generates a working 
key (WK) necessary to the operation of the informa- 
tion processor. The working key is communicated to 
the information processor encrypted under a secret 
key (A(M)). The information processor decrypts the 
encrypted working key for use in deciphering a 
received communication signal. Additional layers of 
encryption (A(C), U(M), U(C)) can be added to the 
communications between the information processor 
and security element to increase the level of secu- 
rity. 
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BACKGROUND OF THE INVENTION 

The present invention relates generally to se- 
curity apparatus for information processing sys- 
tems, and more particularly to apparatus for selec- 
tively controlling the deciphering of information sig- 
nals, such as scrambled television programs. 

There are many schemes available for control- 
ling the remote descrambling of television signals. 
Such schemes are necessary to maintain security 
in subscription television systems, including cable 
television systems and satellite television systems. 
Typically, a system subscriber is provided with a 
descrambler connected between a television signal 
source (e.g., cable feed or satellite receiver) and a 
television set. Each subscriber's descrambler is 
remotely accessed by the system operator to en- 
able or disable the receipt of specific services such 
as the Home Box Office movie channel or special 
pay-per-view sports events. One problem with such 
systems is that "pirates" are apt to break the 
system security and sell "black boxes" that enable 
the reception of ail programming without paying for 
the services received. It has been difficult and 
expensive for system operators to contend with the 
piracy problem. Once a particular security system 
is breached, the system operator must usually re- 
place all existing descramblers with new units that 
operate with a different security algorithm. This 
solution is not cost effective. 

Various systems have been designed to make 
piracy more difficult. One such system is disclosed 
in U.S. patent 4,613,901 to Gilhousen, et al entitled 
"Signal Encryption and Distribution System for 
Controlling Scrambling and Selective Remote De- 
scrambling of Television Signals", incorporated 
herein by reference. In the Gilhousen, et al system, 
a "working key" signal is generated in accordance 
with the well known data encryption standard 
("DES") security algorithm, after the algorithm is 
keyed by either a common category key signal or 
some other key signal. A unique encryption key 
stream is generated by processing an initialization 
vector signal in accordance with the DES algorithm 
when the algorithm is keyed by the working key 
signal. A television signal is scrambled in accor- 
dance with the unique encryption key stream to 
provide a scrambled television signal. A plurality of 
unique encrypted category key signals individually 
addressed to different selected subscribers' de- 
scramblers are generated by processing the initial 
common category key signal in accordance with 
the DES algorithm when the algorithm is keyed by 
a plurality of different "unit key" signals associated 
with different descramblers. The scrambled televi- 
sion signal, initialization vector signal, and plurality 
of encrypted category key signals are broadcast to 
the descramblers. At each descrambler, the en- 



cryption key stream is reproduced to descramble 
the television signal. Each descrambler has its 
unique unit key signal stored in memory for use in 
reproducing the common category key signal when 

5 the descrambler is addressed by its unique en- 
crypted category key signal. By using the DES 
algorithm, the Gilhousen, et al system provides a 
high level of security, making it difficult and expen- 
sive for a pirate to reproduce the working key. 

w Other selective subscription descrambling sys- 
tems are disclosed in Gilhousen, et al U.S. Patents 
4,712,238 and 4,792,973. These patents provide 
improved systems for enabling descrambling of a 
received scrambled signal on an impulse-purchase 

75 basis. U.S. Patent 4,634,808 to Moerder discloses 
a system for reproducing a key signal in a de- 
scrambler that is unique to the descrambler, and 
was used in encrypting a key signal that must be 
decrypted for use in descrambling a television sig- 

20 nal. However, no security system is unbreakable, 
and determined pirates can be expected to ulti- 
mately prevail. 

It would be advantageous to provide an im- 
proved system in which security can be ec- 

25 onomically upgraded after a breach. It would be 
further advantageous if the security upgrades could 
be made in the field by the simple replacement of 
a relatively low cost security element containing a 
new security algorithm. The security element 

30 should be replaceable by a subscriber in his home 
without any need for a visit from service personnel. 

It would also be advantageous to protect the 
interface between the subscriber's descrambler 
and the replaceable security element, so that oth- 

35 ers could not easily manufacture their own security 
elements to defeat the system or to use the de- 
scrambler for other unauthorized purposes. If the 
wrong security element is installed, the descram- 
bler must not work. 

40 The present invention provides an upgradeable 

security system, an information processor, and a 
replaceable security element that enjoy the afore- 
mentioned advantages. 

45 SUMMARY OF THE INVENTION 

In accordance with the present invention, a 
field upgradeable security system is provided for 
deciphering signals received from a communication 

50 network. An information processor includes a re- 
ceptacle for receiving a replaceable security ele- 
ment. The replaceable security element includes 
means for generating a working key, means for 
encrypting the working key with a secret key, and 

55 means for communicating the encrypted working 
key to the information processor. The information 
processor decrypts the encrypted working key for 
use in deciphering a received communication sig- 
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nal. 

In a preferred embodiment, the secret key 
comprises a first authentication key associated with 
the information processor. The first authentication 
key is securely communicated to the security ele- 
ment for use in encrypting the working key. A 
second authentication key is associated with the 
security element. Means are provided for securely 
communicating the second authentication key to 
the information processor. The security element 
then encrypts the working key with both the first 
and second authentication keys. 

The information processor can further comprise 
a first unit key associated therewith and means for 
receiving the second authentication key encrypted 
under the first unit key. Means are provided for 
decrypting the received second authentication key 
for subsequent use in decrypting the working key. 
Similarly, the security element can comprise a sec- 
ond unit key associated therewith and means for 
receiving the first authentication key encrypted un- 
der the second unit key. The received first authen- 
tication key is decrypted by the security element 
for subsequent use in encrypting the working key 
prior to communicating it to the information proces- 
sor. 

In order to generate the working key, the secu- 
rity element requires input data that can be se- 
curely communicated to it via the information pro- 
cessor. The information processor receives the 
data in an encrypted form from a "trusted center", 
decrypts it at least in part, and then further en- 
crypts it for communication to the security element. 
In a preferred embodiment, the data is received by 
the information processor encrypted under at least 
the second unit key, and communicated from the 
information processor to the security element un- 
der the second unit key and at least one of the 
authentication keys. 

In another embodiment, a replaceable security 
element is provided for use in combination with an 
information processor having a secret cryptograph- 
ic key. The security element receives data for use 
in generating a working key. The security element 
receives the secret key via an encrypted commu- 
nication, and decrypts the secret key- for use in 
encrypting the working key. The encrypted working 
key is then communicated to the information pro- 
cessor by the security element for use in process- 
ing an information signal. In a preferred implemen- 
tation, the secret key is received by the security 
element encrypted under a unit key associated 
therewith. An additional cryptographic key may be 
associated with the security element, and the work- 
ing key may be encrypted with both the secret and 
additional keys. The data received by the security 
element for use in generating the working key may 
also be encrypted under at least one of the secret 



and unit keys. In this event, the security element 
comprises means for decrypting the received data. 

An information processor is provided for use in 
combination with a replaceable security element. 

5 Means are provided within the information proces- 
sor for receiving the security element. A secret 
cryptographic key is associated with and stored in 
the information processor. Means are provided for 
receiving a working key, encrypted under the se- 

10 cret key, from the security element. The received 
working key is decrypted and used to process an 
information signal. In a preferred embodiment, an 
additional cryptographic key associated with the 
security element is received and stored. The re- 

75 ceived working key is encrypted under the secret 
key and the additional key for decryption and use 
by the information processor. 

The information processor can also include 
means for receiving data for use by the security 

20 element in generating the working key. Means are 
provided for communicating the data to the secu- 
rity element. Means may also be provided for en- 
crypting the data under one or both of the secret 
and additional keys before it is communicated to 

25 the security element. 

The information processor can further comprise 
means for receiving and storing characteristic in- 
formation (e.g., an address) identifying the security 
element and means for screening the received 

30 data, on the basis of the characteristic information, 
for selective communication to the security ele- 
ment. The information signal processed by the 
information processor can comprise a scrambled 
communication signal to be descrambled. Means 

35 can be provided for enabling and disabling the 
security element in response to a received control 
signal, and for descrambling communication sig- 
nals according to a default descrambling algorithm 
in the absence of an enabled security element. 

40 The information processors according to the 

present invention are, in particular, designed to be 
used with a security element according to the 
present invention, preferably one according to 
claims 19 to 26. 

45 

BRIEF DESCRIPTION OF THE DRAWINGS 

Figure 1 is a block diagram illustrating an in- 
formation processor and replaceable security 
so element in accordance with the present inven- 
tion; 

Figure 2 is a diagram illustrating the information 
flow to the information processor and the secu- 
rity element during initialization of a new secu- 
55 rity element; and 

Figure 3 is a diagram illustrating the information 
flow of data to the information processor and 
security element and the communication of the 
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encrypted working key from the security ele- 
ment to the information processor in accordance 
with the present invention. 

DETAILED DESCRIPTION OF THE INVENTION 

The present invention provides a system for 
recovering from security compromises in an in- 
formation processing system, such as a satellite 
television communication network. In an illustrated 
embodiment, a replaceable security element is 
coupled to a satellite television descrambler for use 
in generating working keys that are subsequently 
communicated to the descrambler to enable the 
descrambling of received signals. The security ele- 
ment is a relatively low cost device that is replaced 
with a new security element operating with a dif- 
ferent security algorithm each time a prior security 
element on its algorithm has been breached. The 
security element can comprise, for example, a 
credit card sized "smart card" or a cartridge con- 
taining a microprocessor based working key gener- 
ator together with various supporting components. 

Turning to Figure 1, an information processor 
("module") generally designated 10 is provided. 
Information processor 10 can comprise a descram- 
bler module such as the VideoCipher II Plus de- 
scrambler module manufactured by General Instru- 
ment Corporation for use in connection with the 
VideoCipher line of satellite receivers. Information 
processor 10 includes all of the components of the 
VideoCipher II Plus descrambler module, including 
a microprocessor 14 and ROM 16 for storing pro- 
gram instructions for the microprocessor. A cryp- 
tographic processor ("crypto") 24 is also provided 
in the VideoCipher II Plus descrambler module, 
coupled to microprocessor 14 via bus 18, for effec- 
ting signal descrambling on the basis of a working 
key signal as set forth in the aforementioned Gil- 
housen, et al U.S. Patent 4,613,901. 

In accordance with the present invention, in- 
formation processor 10 also includes several new 
components. These are a key and address random 
access memory ("RAM") 20 and a message filter 
and interface circuit 22. Key and address RAM 20 
stores a secret key for the information processor 
and a unique address assigned to a security ele- 
ment generally designated 12. Message filter and 
interface 22 uses the security element address 
stored in RAM 20 to determine what messages 
received from the communication network (e.g., 
satellite television system) at input terminal 1 1 are 
specifically addressed to security element 12. The 
message filter discards all messages not intended 
for its associated security element 12. 

It should be appreciated that other methods 
exist for providing messages to specific security 
elements. For example, data sent to a security 



element by a trusted center can be communicated 
to the associated information processor with 
instructions for passing the data on to the security 
element. The data itself can be encrypted under 

5 the information processor unit key to prevent its 
use by any other information processor and secu- 
rity element combination. 

Information processor 10 and security element 
12 are connected via signal path 26 and their 

10 respective interfaces 22, 36. Signals flowing from 
information processor 10 to security element 12 
include the data required by the security element 
to generate working keys and data identifying a 
secret "authentication" key uniquely associated 

75 with the information processor. In a preferred em- 
bodiment, security element 12 also has its own 
authentication key, which can be preloaded upon 
manufacture or subsequently received by the secu- 
rity element via path 26 from data input to the 

20 information processor at terminal 11. The working 
keys required by crypto 24 to descramble an in- 
formation (e.g., television) signal are also commu- 
nicated over path 26, from security element 12 to 
information processor 10. 

25 In accordance with the present invention, the 

working keys are encrypted by security element 1 2 
with the secret authentication key of information 
processor 10. The encryption of the working keys 
with the information processors secret key pro- 

30 vides a substantial advantage in the present sys- 
tem. In particular, a security element that does not 
know the information processor's secret authentica- 
tion key will be unable to properly encrypt working 
keys for use by crypto 24. Even if a security 

35 element were provided that could generate the 
necessary working keys, there would be no way to 
intelligibly transfer the working keys to the informa- 
tion processor without knowledge of the secret key. 
Any information that an improper security element 

40 transferred to information processor 10 without en- 
cryption under the secret key would be processed 
by crypto 24, but would not result in a properly 
descrambled signal. Therefore, there is no need to 
disable information processor 1 0 if an unauthorized 

45 security element is connected to it. If the wrong 
security element is installed, the system simply will 
not work. 

Security element 12 includes a cryptographic 
processor 34 that operates in combination with a 

50 microprocessor "working key generator" 28 to pro- 
vide the working keys. Those skilled in the art will 
appreciate that the functions of working key gener- 
ator 28 and cryptographic processor 34 can be 
provided in a single microprocessor. Data for gen- 

55 erating the working keys, which can comprise, for 
example, a category key and program key trans- 
mitted by a trusted center as disclosed in the 
aforementioned U.S. Patent 4,613,901, is preferably 
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received via path 26 in an encrypted form. Crypto 
34 decrypts the encrypted data and passes it to 
working key generator 28 via bus 32. Program 
instructions containing the security algorithm used 
by working key generator 28 are stored in ROM 30. 
It is noted that the security algorithm could al- 
ternately be contained in special purpose hardware 
that is part of the working key generator. An exam- 
ple of a known security algorithm is the DES al- 
gorithm previously mentioned. New security algo- 
rithms will be developed for each version of secu- 
rity element that is used to replace a prior version 
breached by a pirate. In this manner, each time a 
pirate breaks a system, all that the system operator 
has to do is to send out new security elements to 
all authorized subscribers. The subscribers replace 
the old security element with the new one, and 
once the existing subscriber base has been up- 
graded all signals for the breached system are 
terminated. A pirate will then have to break the new 
system, at which time it will be replaced by a 
subsequent system. 

During the transition from an old security sys- 
tem to a new security system, authorization signals 
can be transmitted for both systems. Alternately, 
crypto 24 in information processor 1 0 can resort to 
a default descrambting algorithm until all subscriber 
units have been upgraded. The default algorithm 
can be one previously used in existing VideoCipher 
II Plus descrambler modules. 

Nonvolatile memory (e.g., key RAM 38) is pro- 
vided in security element 12 to store the secret 
authentication key of information processor 10 for 
use by crypto 34, e.g., in encrypting the working 
keys prior to transmission via interface 36 and path 
26 to information processor 10. Key RAM 38 will 
also store any other keys necessary in the specific 
implementation used by security element 12, such 
as a unique unit key and/or authentication key 
associated with the security element. Power for 
security element 12 can be provided by a battery 
contained therein or from a power supply in in- 
formation processor 10 via path 26. 

When it becomes necessary to implement a 
security upgrade, each subscriber is provided with 
a new security element. Upon installation of the 
new security element, an initialization routine takes 
place. This can be effected, for example, by in- 
structing the subscriber to call a toll free telephone 
number to enable the receipt of an initialization 
message from a trusted center via the satellite 
receiver. This is referred to as "remote initializa- 
tion". Alternately, the security element and/or in- 
formation processor can . be programmed to auto- 
matically request (e.g., via a telephone modem) 
remote initialization upon installation of a new secu- 
rity element. In a different embodiment, the secu- 
rity element is pre-initialized with the necessary 



initialization data by the system operator prior to 
sending it to the subscriber. 

The flow of information to the information pro- 
cessor and security element during remote initial- 

5 ization is illustrated in Figure 2. At initialization, the 
cryptographic processor 24 of information proces- 
sor 10 will receive a message instructing it to go 
into security element support mode. If the specific 
implementation provides for message filtering by 

io the information processor on the basis of a security 
element address, the security element's address 
(SE address) will also be received. In addition, a 
security element authentication key (A(C)) encryp- 
ted under a unit key (U(M)) uniquely assigned to 

is the information processor will be received. These 
signals are indicated at box 40. 

Crypto 24 will decrypt the security element's 
authentication key and store it in secure RAM 20. It 
will also store the security element's address in 

20 RAM 20 if required for subsequent message filter- 
ing. 

The remote initialization message will also con- 
tain a unit addressed message to crypto processor 
34 of security element 12 containing the informa- 

25 tion processor's secret authentication key (A(M)) 
encrypted under a unit key (U(C)) assigned to the 
security element. In the event remote initialization 
is not used, all of the necessary initialization data 
will be loaded into the security element prior to 

30 forwarding it to the subscriber. 

Immediately after initialization, the data neces- 
sary to enable the security element to generate the 
working keys required by crypto 24 will be trans- 
mitted via satellite or other means (e.g., telephone), 

35 to enable authorized television signals to be de- 
scrambled. In the event remote initialization is not 
used, information not frequently broadcast (i.e., the 
category key) can be sent ahead of time and 
stored by the information processor for later trans- 

40 fer to the security element. 

An information processor can be remotely 
placed into "stand alone" mode, for use without 
security element 12. In this mode, it will operate 
functionally in the same manner as known 

45 VideoCipher II Plus descrambler modules, except 
that in remote initialization situations, it will always 
look for security element initialization messages 
that are addressed to it. 

When the information processor receives a re- 

50 mote initialization message to enable security ele- 
ment support mode, it must decrypt the security 
element's authentication key (A(C)) and store it in 
nonvolatile secure memory (e.g., key and address 
RAM 20) as indicated at box 42 of Figure 2. The 

55 information processor must also store the security 
element's unit address in nonvolatile memory 20, 
for implementations where security element ad- 
dressable message filtering is provided. It will then 
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pass its own authentication key (A(M)) encrypted 
by the security element unit key (U(C)) to the 
security element, which will decrypt the module 
authentication key and store it in key RAM 38 as 
indicated at box 44. Crypto 24 will then function in 5 
security element support mode. 

When crypto 24 is in security element support 
mode, its functionality changes. It will receive and 
process messages for both itself and for crypto 34 
of the security element, and will also receive and 10 
process the data needed by the security element 
for use in generating the working keys. If the in- 
formation processor receives a message to return 
to stand alone mode, it will do so and disable the 
security element interface. 75 

In a preferred embodiment, all secure values 
that cross the interface between the information 
processor and security element are encrypted (or 
decrypted) by the authentication keys of both the 
information processor and the security element 20 
The status of the secure values passed to the 
information processor and between the information 
processor and the security element are illustrated 
in Figure 3. As can be seen, when information 
processor 10 receives a "category key" ("CK") 25 
message (boxes 50, 52), which key is part of the 
data used by the security element to generate 
working keys, it must decrypt the encrypted cate- 
gory key (E U(M) Du(c)(CK)) using its own unit key (U- 
(M)), and then it must decrypt the result under its 30 
own authentication key (A(M)) (which is known to 
the security element) before passing this field out 
to the security element (box 54). The second de- 
cryption (D A (M)(Du(o(CK))) is used to protect data 
and is not actually doing the inverse of a previous 35 
encrypt. 

In a similar manner, the information processor 
must decrypt the category encrypted program keys 
(E CK (PK)), which are used by the security element 
to generate working keys, by both its authentication 40 
key (A(M)) and the security element's authentica- 
tion key (A(C)) before communicating the message 
to security element 1 2. This is depicted at box 54. 
A frame count message (additional data used in 
generating the working keys) goes out to the secu- 45 
rity element without encryption as indicated at box 
54. 

The only values that are communicated by the 
security element to the information processor, as 
indicated at the output of box 56, are encrypted 50 
working keys. As shown, the working keys are 
encrypted under both the security element's au- 
thentication key (A(C)) and the information proces- 
sor's authentication key (A(M)). Information proces- 
sor crypto 24 must decrypt the working keys by its 55 
own authentication key and then by the security 
element's authentication key. It then passes the 
clear working key to initialize key stream genera- 



tion in a conventional manner. Since the working 
key is received by crypto 24 encrypted by the 
information processor's secret authentication key, 
there is no way to breach the interface without 
knowledge of the secret authentication key. When 
in the security element support mode, the informa- 
tion processor crypto 24 must always decrypt in- 
coming working keys. 

As should be apparent, the only job of the 
security element is to produce encrypted working 
keys. Because of its limited functionality, it can be 
manufactured at a low cost. The derivation of work- 
ing keys from the data forwarded to the security 
element will depend on the particular security al- 
gorithm used. This algorithm should be different for 
every version of the security element, to maintain 
the difficulty of breaking each new version. 

It should now be appreciated that the present 
invention provides a field upgradeable security sys- 
tem that can be used for deciphering signals re- 
ceived from a communication network. As one ver- 
sion of security is breached, a new version is 
implemented by replacing low cost security ele- 
ments that provide working keys to an information 
processor. The working keys are communicated 
from the security element to the information pro- 
cessor in an encrypted form under a secret key 
known only to the information processor and an 
authorized security element. In order to obtain the 
secret key, the unit key of the security element 
must be correct, since the secret key is commu- 
nicated to the security element encrypted under 
the unit key. 

Although the invention has been described in 
connection with a specific embodiment thereof, 
those skilled in the art will appreciate that nu- 
merous adaptations and modifications may be 
made thereto, without departing from the spirit and 
scope of the invention, as set forth in the following 
claims. 

Claims 

1. A field upgradeable security system for pro- 
cessing signals comprising: 

an information processor (10) having: 

a receptacle (26) for receiving a replace- 
able security element (12); 

means (11) for receiving data in an en- 
crypted form; 

means (14,20,24) for at least partially de- 
crypting the received data; and 

means (22,26) for communicating the at 
least partially decrypted, received data to said 
security element for use in generating a work- 
ing key; 

said replaceable security element (12) in- 
cluding: 



6 



11 



EP 0 471 373 A2 



12 



means (28) for generating said working 

key; 

means (34) for encrypting said working 
key with a secret key; and 

means (36,26) for communicating the en- 
crypted working key to said information pro- 
cessor for decryption and use in processing a 
signal. 

2. A system in accordance with claim 1 wherein 
said information processor comprises: 

means (14,20,24) for further encrypting 
said data before communicating it to said se- 
curity element. 

3. A system in accordance with claim 2 wherein: 

said secret key comprises a first authen- 
tication key (A(M)) assigned to said information 
processor; 

said means for further encrypting encrypts 
said data under said first authentication key 
before communicating it to said security ele- 
ment; and 

said security element includes means for 
decrypting said data with said first authentica- 
tion key. 

4. A system in accordance with claim 3 wherein: 

said security element includes a second 
authentication key (A(Q) assigned thereto; and 

said means for further encrypting encrypts 
said data under said second authentication key 
and said first authentication key before com- 
municating it to said security element. 

5. A system in accordance with claim 2 wherein: 

said security element includes an authen- 
tication key (A(Q) assigned thereto; and 

said means for further encrypting encrypts 
said data under said authentication key before 
communicating it to said security element. 

6. A system in accordance with any of the pre- 
ceding claims wherein: 

said data is received by the information- 
processor encrypted under a first unit key (U- 
(M)) assigned to said information processor 
and a second unit key (U(C)) assigned to said 
security element; 

said information processor partially de- 
crypts said data with said first unit key; 

the partially decrypted data is communi- 
cated to said security element still encrypted 
under said second unit key; and 

said security element decrypts said data 
with said second unit key for use in generating 
said working key. 



7. A system in accordance with claim 6 wherein: 

said secret key comprises a first authen- 
tication key (A(M)) assigned to said information 
processor; 

5 said information processor comprises 

means for further encrypting said data under 
said first authentication key before commu- 
nicating it to said security element; and 

said security element includes means for 

io decrypting said data with said first authentica- 

tion key. 

8. A system in accordance with claim 7 wherein: 

said security element includes a second 
75 authentication key (A(C)) assigned thereto; and 

said means for further encrypting encrypts 
said data under said second authentication key 
before communicating it to said security ele- 
ment. 

20 

9. A system in accordance with claim 6 wherein: 

said security element includes an authen- 
tication key (A(C)) assigned thereto; and 

said information processor comprises 
25 means for encrypting said data under said 

authentication key before communicating it to 
said security element. 

10. A system in accordance with claim 1 wherein 
30 said security element further comprises: 

an authentication key (A(C)) assigned 
thereto; and 

means for encrypting said working key 
with said authentication key in addition to said 
35 secret key for communication to said informa- 

tion processor; 

wherein said information processor in- 
cludes means for decrypting said working key 
with both said authentication key and said se- 
40 cret key. 

11. A field upgradeable security system for pro- 
cessing signals comprising: 

an information processor (10) having a se- 
45 cret first authentication key (A(M)) assigned 

thereto and a receptacle (26) for receiving a 
replaceable security element (12); 

said replaceable security element includ- 
ing: 

50 a second authentication key (A(Q) as- 

signed thereto, 

means (28) for generating a working key, 
means (34) for encrypting said working 
key with said first authentication key and said 
55 second authentication key, and 

means (36,26) for communicating the en- 
crypted working key to said information pro- 
cessor; 
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wherein said information processor in- 
cludes: 

means (14,20,24) for decrypting the en- 
crypted working key for use in processing a 
signal. 

12. A system in accordance with claim 11 wherein 
said security element includes: 

a unit key (U(C)) assigned thereto; 

means (26,36) for receiving data from said 
information processor encrypted under said 
unit key; and 

means (34) for decrypting said data with 
said unit key for use in generating said working 
key. 

13. A system in accordance with claim 12 wherein: 

said information processor comprises 
means (14,20,24) for encrypting said data un- 
der said first authentication key before commu- 
nicating it to said security element; and 

said security element includes means (34) 
for decrypting said data with both said unit key 
and said first authentication key. 

14. A system in accordance with claim 13 wherein: 

said information processor comprises 
means (14,20,24) for encrypting said data un- 
der said second authentication key before 
communicating it to said security element; and 

said security element includes means (34) 
for decrypting said data with said unit key, said 
first authentication key, and said second au- 
thentication key. 

15. A system in accordance with claim 12 wherein: 

said information processor comprises 
means (14,20,24) for encrypting said data un- 
der said second authentication key before 
communicating it to said security element; and 

said security element includes means (34) 
for decrypting said data with said unit key and 
said second authentication key. 

16. A system in accordance with claim 11 wherein: 

said information processor comprises 
means (14,20,24) for encrypting said data un- 
der said first authentication key before commu- 
nicating it to said security element; and 

said security element includes means (34) 
for decrypting said data with said first authen- 
tication key for use in generating said working 
key. 

17. A system in accordance with claim 16 wherein: 

said information processor comprises 
means (14,20,24) for encrypting said data un- 
der said second authentication key before 
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communicating it to said security element; and 
said security element includes means (34) 
for decrypting said data with said first authen- 
tication key and said second authentication 
5 key. 

18. A system in accordance with claim 11 wherein: 

said information processor comprises 
means (14,20,24) for encrypting said data un- 
10 der said second authentication key before 

communicating it to said security element; and 
said security element includes means (34) 
for decrypting said data with said second au- 
thentication key. 

75 

19. A replaceable security element, for use in 
combination with an information processor hav- 
ing a secret cryptographic key, comprising: 

means (28) for generating a working key 
20 for use by said information processor in pro- 

cessing a signal; 

means (26,36) for receiving said secret 

key; 

means (34) for encrypting said working 
25 key with said secret key and an authentication 

key (A(C)) associated with said replaceable 
security element; and 

means (36,26) for communicating the en- 
crypted working key to said information pro- 
30 cessor. 

20. A security element in accordance with claim 

19 further comprising: 

means (26,36) for receiving data encrypted 
35 under a unit key (U(C)) assigned to said secu- 

rity element, and 

means (34) for decrypting the encrypted 
data with said unit key for use in generating 
said working key. 

40 

21. A security element in accordance with claim 

20 wherein said data is received encrypted 
under said unit key and said secret key, and 
said decrypting means decrypt the encrypted 

45 data with both said unit key and said secret 

key for use in generating said working key. 

22. A security element in accordance with claim 

21 wherein said data is received encrypted 
so under said unit key, said secret key, and said 

authentication key, and said decrypting means 
decrypt the encrypted data with said unit key, 
said secret key and said authentication key for 
use in generating said working key. 

55 

23. A security element in accordance with claim 
20 wherein said data is received encrypted 
under said unit key and said authentication 
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key, and said decrypting means decrypt the 
encrypted data with said unit key and said 
authentication key for use in generating said 
working key. 

24. A security element in accordance with claim 
19 further comprising: 

means (26,36) for receiving data encrypted 
under said secret key, and 

means (34) for decrypting the encrypted 
data with said secret key for use in generating 
said working key. 

25. A security element in accordance with claim 
24 wherein said data is received encrypted 
under said secret key and said authentication 
key, and said decrypting means decrypt the 
encrypted data with said secret key and said 
authentication key for use in generating said 
working key. 

26. A security element in accordance with claim 
19 further comprising: 

means for receiving data encrypted under 
said authentication key, and 

means for decrypting the encrypted data 
with said authentication key for use in generat- 
ing said working key. 

27. An information processor, for use in combina- 
tion with a replaceable security element, com- 
prising: 

an interface (22,26) for receiving a replace- 
able security element; 

means (11) for receiving data in an en- 
crypted form; 

means (14,20,24) for partially decrypting 
the received data; and 

means (14,22,26) for communicating the 
partially decrypted, received data via said in- 
terface to a security element for use in gen- 
erating a working key. 

28. An information processor in accordance with 
claim 27 comprising: 

means (14,20,24) for further encrypting 
said partially decrypted data before commu- 
nicating it to said security element. 

29. An information processor in accordance with 
claim 28 further comprising: 

a secret key (A(M)) assigned to said in- 
formation processor; 

wherein said partially decrypted data is 
further encrypted under said secret key before 
communicating it to said security element. 

30. An information processor in accordance with 



claim 28 or 29 wherein: 

said partially decrypted data is further en- 
crypted under an authentication key (A(C)) as- 
signed to said security element before commu* 
5 nicating it to said security element. 

31. An information processor in accordance with 
claim 28 or 29 wherein: 

said partially decrypted data is further en- 
10 crypted under an authentication key (A(M)) as- 

signed to said security element before commu- 
nicating it to said security element. 

32. An information processor in accordance with 
75 any of claims 27 to 31 wherein: 

said data is received encrypted under a 
first unit key (U(M)) assigned to said informa- 
tion processor and a second unit key (U(C)) 
assigned to said security element; 
20 said information processor partially de- 

crypts said data with said first unit key; and 

the partially decrypted data is communi- 
cated to said security element still encrypted 
under said second unit key. 

25 

33. An information processor in accordance with 
claim 32 further comprising: 

a secret key (A(M)) assigned to said in- 
formation processor; and 
30 means (14,20,24) for further encrypting 

said partially decrypted data under said secret 
key before communicating it to said security 
element. 

35 34. An information processor, for use in combina- 
tion with a replaceable security element, com- 
prising: 

means (22,26) for receiving a working key 
from said replaceable security element (12), 
40 said working key encrypted with a first authen- 

tication key (A(M)) assigned to said information 
processor and a second authentication key (A- 
(C)) assigned to said security element, and 
means (14,20,24) for decrypting the en- 
45 crypted working key for use in processing a 

signal. 

35. An information processor in accordance with 
claim 34 wherein: 
50 said information processor is designed ac- 

cording to any of the features of claims 27 to 
33. 



55 



9 



EP 0 471 373 A2 



INFORMATION PROCESSOR 



DATA IN 


MICROPROCESSOR 


> 


ROM 








II 











KEY a 

ADDRESS 

RAM 

20-* 



10 



X 



A 

12 



KEY RAM 



If 



-16 



MESSAGE 
FILTER ft 
INTERFACE 

— TV 



36- 



22 



a 



■18 



CRYPTO 



24 



-26 



V 



34 



INTERFACE 



28 



it 

5E 



2l 



CRYPTO 



I? 



WORKING KEY 
GENERATOR 



32 
s30 



ROM 



SECURITY ELEMENT 

FIG. / — 



10 



EP 0 471 373 A2 



KEY 

E x (y) = y ENCRYPTED WITH KEY X 

U(X) = UNIT KEY OF X 

A(X) = AUTHENTICATION KEY OF X 



FIG. 2 



40- 



( SE ADDRESS) 
E U(M) (A(C)) 

E U(C) (A(M)) 















42^- 


CRYPTO ON 
MODULE 
A(C) STORED 


E U(C) (A(M» ^ 




44-^ 


CRYPTO ON 
SECURITY ELEMENT 
A(M) STORED 



11 



EP 0 471 373 A2 



KEY 

D x (y) = y DECRYPTED WITH KEY X 

E x (y ) = y ENCRYPTED WITH KEY X 

U(X) = UNIT KEY OFX 

A(X)= AUTHENTICATION KEYOF X 

CK= CATEGORY KEY 

PK = PROGRAM KEY 

WK= WORKING KEY 

FC = FRAME COUNT 



FIG. 3 



50' 



52- 



E U(M) D U(C) (CK * 
E CK (PK) 

FC 



CRYPTO ON MODULE 



54 
d 

D A(M)< D U(C)(CK)) 

D A(C) (D A(M)(E CK (PK))) 
FC 



56- 



W E A(C> (WK » 



CRYPTO ON 
SECURITY ELEMENT 



12 



